Threat Hunting #12 - Suspicious strings in Registry value's data

This type of techniques is a good option to avoid saving malicious files directly exposed to AV disk scanners or alike, the malicious code is usually hidden as data for a rogue registry value (REG_BINARY, REG_SZ etc.) . A good example of such as threats (called Fileless) can be found here.

Scanning daily (scheduled task) user's registry hives HKCU and outputting the results to the eventlog (i.e. using system32\eventcreate.exe utility) can help you detect what's called "File Less". [include DOS and Nt Headers (4D5A900003,00004550)]

Query example:

reg query HKCU /s /d /f "javascript" & reg query HKCU /s /d /f "powershell" & reg query HKCU /s /d /f "wmic" & reg query HKCU /s /d /f "rundll32" & reg query HKCU /s /d /f "cmd.exe" & reg query HKCU /s /d /f "cscript" & reg query HKCU /s /d /f "wscript" & reg query HKCU /s /d /f "regsvr32" & reg query HKCU /s /d /f "mshta" & reg query HKCU /s /d /f "scrobj.dll" & reg query HKCU /s /d /f "bitsadmin" & reg query HKCU /s /d /f "certutil" & reg query HKCU /s /d /f "msiexec" & reg query HKCU /s /d /f "javaw.exe"

Tested on 3 different windows machines (7 and 10), 0 hit for similar strings in the HKCU value's data.

You can create a script to scan the HKCU registry and output any match to an eventlog using eventcreate.exe or Write-EventLog.